high

IAM privilege escalation via undocumented CodeStar API

Published Tue, Jun 18th, 2019
Platforms

Summary

The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creation process, AWS would create a new CodeStarWorker IAM policy & attach it to the user making the call. This policy granted full access to over 50 AWS services, including iam:AttachRolePolicy, iam:AttachUserPolicy and iam:PutRolePolicy permissions, which would allow the user to escalate to full administrator access. Following disclosure, AWS removed the majority of access granted by the CodeStarWorker policy, but this is still a viable escalation path if there are other misconfigurations in the environment.

Affected Services

Codestar

Remediation

If not using the CodeStar service, ensure that the “aws-codestar-service-role” is removed from all your accounts. Apply principle of least privilege to all CodeStar-related resources to ensure the codestar:CreateProjectFromTemplate permission is only granted when absolutely necessary. Implement monitoring on any users with access to the codestar:CreateProject and iam:PassRole actions to detect potential escalation attempts.

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Tue, Mar 19th, 2019
Exploitablity Period
Ongoing
Known ITW Exploitation
-
Detection Methods
-
Discovered by
Spencer Gietzen, Rhino Security Labs